diff --git a/.github/workflows/container_foundationdb_version.yml b/.github/workflows/container_foundationdb_version.yml index cba20c208..7a359aeab 100644 --- a/.github/workflows/container_foundationdb_version.yml +++ b/.github/workflows/container_foundationdb_version.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v2 + uses: actions/checkout@v4 with: fetch-depth: 0 @@ -83,12 +83,9 @@ jobs: fi if [ -z "$tag" ]; then tag="foundationdb_${sanitized_version}_seaweedfs_${sanitized_seaweed}" + else + tag="$(sanitize "$tag")" fi - tag="${tag,,}" - tag="${tag// /-}" - tag="${tag//[^a-z0-9_.-]/-}" - tag="${tag#-}" - tag="${tag%-}" if [ -z "$tag" ]; then echo "Resulting Docker tag is empty." >&2 exit 1 @@ -98,13 +95,13 @@ jobs: echo "seaweedfs_ref=$seaweed" >> "$GITHUB_OUTPUT" - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v1 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v1 + uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v1 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} @@ -121,7 +118,7 @@ jobs: fi - name: Build and push image - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v2 + uses: docker/build-push-action@v6 with: context: ./docker push: ${{ github.event_name != 'pull_request' }} @@ -129,6 +126,8 @@ jobs: build-args: | FDB_VERSION=${{ inputs.fdb_version || '7.4.5' }} BRANCH=${{ steps.branch.outputs.branch }} + # Note: ARM64 support requires FoundationDB ARM64 packages which are not available for all versions + # Currently only building for amd64. To enable ARM64, verify package availability and add checksums. platforms: linux/amd64 tags: ${{ steps.tag.outputs.full_image || 'seaweedfs:foundationdb-test' }} labels: | diff --git a/.github/workflows/container_release_foundationdb.yml b/.github/workflows/container_release_foundationdb.yml index 5be990b4c..55451b653 100644 --- a/.github/workflows/container_release_foundationdb.yml +++ b/.github/workflows/container_release_foundationdb.yml @@ -17,11 +17,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v2 + uses: actions/checkout@v4 - name: Docker meta id: docker_meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v3 + uses: docker/metadata-action@v5 with: images: | chrislusf/seaweedfs @@ -35,26 +35,36 @@ jobs: org.opencontainers.image.vendor=Chris Lu - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v1 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v1 + uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub if: github.event_name != 'pull_request' - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v1 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - + name: Determine branch to build + id: branch + run: | + if [ "${{ github.event_name }}" = "push" ] && [ -n "${{ github.ref_name }}" ]; then + echo "branch=${{ github.ref_name }}" >> "$GITHUB_OUTPUT" + else + echo "branch=master" >> "$GITHUB_OUTPUT" + fi - name: Build - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v2 + uses: docker/build-push-action@v6 with: context: ./docker push: ${{ github.event_name != 'pull_request' }} file: ./docker/Dockerfile.foundationdb_large build-args: | - BRANCH=${{ github.sha }} + BRANCH=${{ steps.branch.outputs.branch }} + # Note: ARM64 support requires FoundationDB ARM64 packages which are not available for all versions platforms: linux/amd64 tags: ${{ steps.docker_meta.outputs.tags }} labels: ${{ steps.docker_meta.outputs.labels }} diff --git a/docker/Dockerfile.foundationdb_large b/docker/Dockerfile.foundationdb_large index a0ed31f2f..8e43eaf2f 100644 --- a/docker/Dockerfile.foundationdb_large +++ b/docker/Dockerfile.foundationdb_large @@ -5,42 +5,52 @@ RUN apt-get install -y build-essential wget ca-certificates ARG FDB_VERSION=7.4.5 ENV FDB_VERSION=${FDB_VERSION} +ARG TARGETARCH # Install FoundationDB client libraries with SHA256 checksum verification # Known SHA256 checksums for FoundationDB client packages (verified 2025-01-19) # To add checksums for new versions: run docker/get_fdb_checksum.sh RUN cd /tmp && \ - case "${FDB_VERSION}" in \ - "7.4.5") \ + case "${TARGETARCH}" in \ + "amd64") FDB_ARCH="amd64" ;; \ + "arm64") FDB_ARCH="arm64" ;; \ + *) echo "Unsupported architecture: ${TARGETARCH}" >&2; exit 1 ;; \ + esac && \ + case "${FDB_VERSION}_${FDB_ARCH}" in \ + "7.4.5_amd64") \ EXPECTED_SHA256="eea6b98cf386a0848655b2e196d18633662a7440a7ee061c10e32153c7e7e112" ;; \ - "7.3.43") \ + "7.4.5_arm64") \ + EXPECTED_SHA256="TBD_RUN_get_fdb_checksum_for_arm64" ;; \ + "7.3.43_amd64") \ EXPECTED_SHA256="c3fa0a59c7355b914a1455dac909238d5ea3b6c6bc7b530af8597e6487c1651a" ;; \ + "7.3.43_arm64") \ + EXPECTED_SHA256="TBD_RUN_get_fdb_checksum_for_arm64" ;; \ *) \ - echo "ERROR: No checksum available for FDB version ${FDB_VERSION}" >&2; \ + echo "ERROR: No checksum available for FDB version ${FDB_VERSION} on ${FDB_ARCH}" >&2; \ echo "This is a security requirement. To add verification:" >&2; \ - echo " 1. Run: docker/get_fdb_checksum.sh ${FDB_VERSION}" >&2; \ + echo " 1. Run: docker/get_fdb_checksum.sh ${FDB_VERSION} ${FDB_ARCH}" >&2; \ echo " 2. Add the checksum to this Dockerfile" >&2; \ echo "Refusing to proceed without checksum verification." >&2; \ exit 1 ;; \ esac && \ - wget https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/foundationdb-clients_${FDB_VERSION}-1_amd64.deb && \ - echo "${EXPECTED_SHA256} foundationdb-clients_${FDB_VERSION}-1_amd64.deb" | sha256sum -c - || \ - (echo "ERROR: Checksum verification failed for FoundationDB ${FDB_VERSION}" >&2; \ + PACKAGE="foundationdb-clients_${FDB_VERSION}-1_${FDB_ARCH}.deb" && \ + wget --timeout=30 --tries=3 https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/${PACKAGE} && \ + echo "${EXPECTED_SHA256} ${PACKAGE}" | sha256sum -c - || \ + (echo "ERROR: Checksum verification failed for FoundationDB ${FDB_VERSION} (${FDB_ARCH})" >&2; \ echo "Expected: ${EXPECTED_SHA256}" >&2; \ echo "This indicates either a corrupted download or potential tampering." >&2; \ exit 1) && \ - dpkg -i foundationdb-clients_${FDB_VERSION}-1_amd64.deb && \ - rm foundationdb-clients_${FDB_VERSION}-1_amd64.deb + dpkg -i ${PACKAGE} && \ + rm ${PACKAGE} # Set up FoundationDB environment variables for CGO ENV CGO_CFLAGS="-I/usr/include/foundationdb" ENV CGO_LDFLAGS="-lfdb_c" # build SeaweedFS -RUN mkdir -p /go/src/github.com/seaweedfs/ -RUN git clone https://github.com/seaweedfs/seaweedfs /go/src/github.com/seaweedfs/seaweedfs ARG BRANCH=master -RUN cd /go/src/github.com/seaweedfs/seaweedfs && git checkout $BRANCH +RUN mkdir -p /go/src/github.com/seaweedfs/ && \ + git clone --depth 1 --branch ${BRANCH} https://github.com/seaweedfs/seaweedfs /go/src/github.com/seaweedfs/seaweedfs RUN cd /go/src/github.com/seaweedfs/seaweedfs/weed \ && export LDFLAGS="-X github.com/seaweedfs/seaweedfs/weed/util/version.COMMIT=$(git rev-parse --short HEAD)" \ && go install -tags "5BytesOffset foundationdb" -ldflags "${LDFLAGS}" @@ -59,22 +69,33 @@ RUN apt-get update && \ # Install FoundationDB client library in runtime image with SHA256 checksum verification ARG FDB_VERSION=7.4.5 +ARG TARGETARCH RUN cd /tmp && \ - case "${FDB_VERSION}" in \ - "7.4.5") \ + case "${TARGETARCH}" in \ + "amd64") FDB_ARCH="amd64" ;; \ + "arm64") FDB_ARCH="arm64" ;; \ + *) echo "Unsupported architecture: ${TARGETARCH}" >&2; exit 1 ;; \ + esac && \ + case "${FDB_VERSION}_${FDB_ARCH}" in \ + "7.4.5_amd64") \ EXPECTED_SHA256="eea6b98cf386a0848655b2e196d18633662a7440a7ee061c10e32153c7e7e112" ;; \ - "7.3.43") \ + "7.4.5_arm64") \ + EXPECTED_SHA256="TBD_RUN_get_fdb_checksum_for_arm64" ;; \ + "7.3.43_amd64") \ EXPECTED_SHA256="c3fa0a59c7355b914a1455dac909238d5ea3b6c6bc7b530af8597e6487c1651a" ;; \ + "7.3.43_arm64") \ + EXPECTED_SHA256="TBD_RUN_get_fdb_checksum_for_arm64" ;; \ *) \ - echo "ERROR: No checksum available for FDB version ${FDB_VERSION}" >&2; \ - echo "Run docker/get_fdb_checksum.sh ${FDB_VERSION} to get the checksum" >&2; \ + echo "ERROR: No checksum available for FDB version ${FDB_VERSION} on ${FDB_ARCH}" >&2; \ + echo "Run docker/get_fdb_checksum.sh ${FDB_VERSION} ${FDB_ARCH} to get the checksum" >&2; \ exit 1 ;; \ esac && \ - wget https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/foundationdb-clients_${FDB_VERSION}-1_amd64.deb && \ - echo "${EXPECTED_SHA256} foundationdb-clients_${FDB_VERSION}-1_amd64.deb" | sha256sum -c - || \ - (echo "ERROR: Checksum verification failed for FoundationDB ${FDB_VERSION}" >&2; exit 1) && \ - dpkg -i foundationdb-clients_${FDB_VERSION}-1_amd64.deb && \ - rm foundationdb-clients_${FDB_VERSION}-1_amd64.deb + PACKAGE="foundationdb-clients_${FDB_VERSION}-1_${FDB_ARCH}.deb" && \ + wget --timeout=30 --tries=3 https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/${PACKAGE} && \ + echo "${EXPECTED_SHA256} ${PACKAGE}" | sha256sum -c - || \ + (echo "ERROR: Checksum verification failed for FoundationDB ${FDB_VERSION} (${FDB_ARCH})" >&2; exit 1) && \ + dpkg -i ${PACKAGE} && \ + rm ${PACKAGE} # Copy SeaweedFS binary and configuration COPY --from=builder /go/bin/weed /usr/bin/ diff --git a/docker/get_fdb_checksum.sh b/docker/get_fdb_checksum.sh index cb6c5a92a..ca6fc678a 100755 --- a/docker/get_fdb_checksum.sh +++ b/docker/get_fdb_checksum.sh @@ -1,30 +1,39 @@ #!/bin/bash # Helper script to get SHA256 checksum for FoundationDB client package -# Usage: ./get_fdb_checksum.sh -# Example: ./get_fdb_checksum.sh 7.4.5 +# Usage: ./get_fdb_checksum.sh [arch] +# Example: ./get_fdb_checksum.sh 7.4.5 amd64 +# Example: ./get_fdb_checksum.sh 7.4.5 arm64 set -euo pipefail -if [ $# -ne 1 ]; then - echo "Usage: $0 " >&2 +if [ $# -lt 1 ] || [ $# -gt 2 ]; then + echo "Usage: $0 [arch]" >&2 echo "Example: $0 7.4.5" >&2 + echo "Example: $0 7.4.5 arm64" >&2 exit 1 fi FDB_VERSION="$1" -PACKAGE="foundationdb-clients_${FDB_VERSION}-1_amd64.deb" +FDB_ARCH="${2:-amd64}" + +if [ "$FDB_ARCH" != "amd64" ] && [ "$FDB_ARCH" != "arm64" ]; then + echo "Error: Architecture must be 'amd64' or 'arm64'" >&2 + exit 1 +fi + +PACKAGE="foundationdb-clients_${FDB_VERSION}-1_${FDB_ARCH}.deb" URL="https://github.com/apple/foundationdb/releases/download/${FDB_VERSION}/${PACKAGE}" -echo "Downloading FoundationDB ${FDB_VERSION} client package..." +echo "Downloading FoundationDB ${FDB_VERSION} client package for ${FDB_ARCH}..." echo "URL: ${URL}" echo "" # Download to temp directory TEMP_DIR=$(mktemp -d) -trap "rm -rf ${TEMP_DIR}" EXIT +trap 'rm -rf "${TEMP_DIR}"' EXIT cd "${TEMP_DIR}" -if wget -q "${URL}"; then +if wget --timeout=30 --tries=3 -q "${URL}"; then CHECKSUM=$(sha256sum "${PACKAGE}" | awk '{print $1}') echo "✓ Download successful" echo "" @@ -32,11 +41,11 @@ if wget -q "${URL}"; then echo "${CHECKSUM}" echo "" echo "Add this to Dockerfile.foundationdb_large:" - echo " \"${FDB_VERSION}\") \\" + echo " \"${FDB_VERSION}_${FDB_ARCH}\") \\" echo " EXPECTED_SHA256=\"${CHECKSUM}\" ;; \\" else echo "✗ Failed to download package from ${URL}" >&2 - echo "Please verify the version number and URL" >&2 + echo "Please verify the version number, architecture, and URL" >&2 exit 1 fi